Removing Get-PEArchitecture

This functionality is present and maintained in Get-PEHeader.

3 files changed, 1 insertions, 100 deletions

diff --git a/PETools/Get-PEArchitecture.ps1 b/PETools/Get-PEArchitecture.ps1
deleted file mode 100644
index efc80be..0000000
--- a/PETools/Get-PEArchitecture.ps1
+++ /dev/null
@@ -1,94 +0,0 @@
-function Get-PEArchitecture

-{

-<#

-.SYNOPSIS

-

-Outputs the architecture for which a binary was compiled.

-

-PowerSploit Function: Get-PEArchitecture

-Author: Matthew Graeber (@mattifestation)

-License: BSD 3-Clause

-Required Dependencies: None

-Optional Dependencies: None

-

-.DESCRIPTION

-

-Get-PEArchitecture returns the architecture for which a Windows portable executable was compiled.

-

-.PARAMETER Path

-

-Path to the executable.

-

-.EXAMPLE

-

-C:\PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe

-X86

- 

-.EXAMPLE

-

-C:\PS> Get-PEArchitecture C:\Windows\System32\cmd.exe

-X64

- 

-.LINK

-

-http://www.exploit-monday.com

-#>

-

-    Param (

-        [Parameter(Position = 0, Mandatory = $True)]

-        [String]

-        $Path

-    )

-

-    if (!(Test-Path $Path)) {

-        Write-Warning 'Invalid path or file does not exist.'

-        return

-    }

-    

-    # Parse PE header to see if binary was compiled 32 or 64-bit

-    $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)

-    

-    [Byte[]] $MZHeader = New-Object Byte[](2)

-    $FileStream.Read($MZHeader,0,2) | Out-Null

-    

-    $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)

-    if ($Header -ne 'MZ') {

-        Write-Warning 'Invalid PE header.'

-        $FileStream.Close()

-        return

-    }

-    

-    # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header)

-    $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null

-    

-    [Byte[]] $lfanew = New-Object Byte[](4)

-    

-    # Read offset to the PE Header (will be read in reverse)

-    $FileStream.Read($lfanew,0,4) | Out-Null

-    $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))

-    

-    # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE

-    $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null

-    [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2)

-    

-    # Read compiled architecture

-    $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null

-    $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')

-    $FileStream.Close()

-    

-    if (($Architecture -ne '014C') -and ($Architecture -ne '8664') -and ($Architecture -ne '01C4')) {

-        Write-Warning 'Invalid PE header or unsupported architecture.'

-        return

-    }

-    

-    if ($Architecture -eq '014C') {

-        return 'X86'

-    } elseif ($Architecture -eq '8664') {

-        return 'X64'

-    } elseif ($Architecture -eq '01C4') {

-        return 'ARM'

-    } else {

-        return 'OTHER'

-    }

-

-}

diff --git a/PETools/PETools.psd1 b/PETools/PETools.psd1
index 696eb57..d414365 100644
--- a/PETools/PETools.psd1
+++ b/PETools/PETools.psd1
@@ -74,8 +74,7 @@ ModuleList = @(@{ModuleName = 'PETools'; ModuleVersion = '1.0.0.0'; GUID = 'd150
 

 # List of all files packaged with this module

 FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoadPath.ps1', 

-               'Get-PEArchitecture.ps1', 'Get-PEHeader.ps1', 'Get-ObjDump.ps1', 'Get-ObjDump.format.ps1xml',

-               'Usage.md'

+               'Get-PEHeader.ps1', 'Get-ObjDump.ps1', 'Get-ObjDump.format.ps1xml', 'Usage.md'

 

 # Private data to pass to the module specified in RootModule/ModuleToProcess

 # PrivateData = ''

diff --git a/README.md b/README.md
index d29d227..6bdda8d 100644
--- a/README.md
+++ b/README.md
@@ -72,10 +72,6 @@ An in-memory and on-disk PE parsing utility.
 
 Displays information about one or more Windows object files.
 
-#### `Get-PEArchitecture`
-
-Returns the architecture for which an executable was compiled.
-
 #### `Get-DllLoadPath`
 
 Returns the path from which Windows will load a Dll for the given executable.